logo标签列表

将HTTP POST请求更改为HTTPS POST请求:

androidhttpposthttps
7

我有这个方法:

public static String getReportMetadata (String reportId, String sessionId, String url) throws Exception{

    Map<String, Object> jsonValues = new HashMap<String, Object>();
    jsonValues.put("reportID", reportId);
    jsonValues.put("sessionID", sessionId);
    JSONObject json = new JSONObject(jsonValues);

    DefaultHttpClient client = new DefaultHttpClient();

    HttpPost post = new HttpPost(url + GET_REPORT_METADATA_ACTION);

    AbstractHttpEntity entity = new ByteArrayEntity(json.toString().getBytes("UTF8"));
    entity.setContentType(new BasicHeader(HTTP.CONTENT_TYPE, "application/json"));
    post.setEntity(entity);        
    HttpResponse response = client.execute(post);

    return getContent(response);            
}

我需要编写一个执行HTTP Post请求的程序,当然我会使用AsyncTask来从服务器获取数据。

我的问题: 请问有人能简单地解释一下我需要执行哪些步骤才能将此连接类型更改为安全连接(即使用HTTPS)。仅从Android客户端的角度来看(即客户端应用程序)。

更新: 根据建议,我尝试仅更改链接并添加https而不是http,但它没有返回结果。据我所知,我确实需要获取和存储自签名证书才能连接到服务器端。

更新2: 适用于我的解决方案:

EasySSLSocketFactory:

public class EasySSLSocketFactory implements SocketFactory, LayeredSocketFactory {

private SSLContext sslcontext = null;

private static SSLContext createEasySSLContext() throws IOException {
    try {
        SSLContext context = SSLContext.getInstance("TLS");
        context.init(null, new TrustManager[] { new EasyX509TrustManager(null) }, null);
        return context;
    } catch (Exception e) {
        throw new IOException(e.getMessage());
    }
}

private SSLContext getSSLContext() throws IOException {
    if (this.sslcontext == null) {
        this.sslcontext = createEasySSLContext();
    }
    return this.sslcontext;
}

/**
 * @see org.apache.http.conn.scheme.SocketFactory#connectSocket(java.net.Socket, java.lang.String, int,
 *      java.net.InetAddress, int, org.apache.http.params.HttpParams)
 */
public Socket connectSocket(Socket sock, String host, int port, InetAddress localAddress, int localPort,
        HttpParams params) throws IOException, UnknownHostException, ConnectTimeoutException {
    int connTimeout = HttpConnectionParams.getConnectionTimeout(params);
    int soTimeout = HttpConnectionParams.getSoTimeout(params);
    InetSocketAddress remoteAddress = new InetSocketAddress(host, port);
    SSLSocket sslsock = (SSLSocket) ((sock != null) ? sock : createSocket());

    if ((localAddress != null) || (localPort > 0)) {
        // we need to bind explicitly
        if (localPort < 0) {
            localPort = 0; // indicates "any"
        }
        InetSocketAddress isa = new InetSocketAddress(localAddress, localPort);
        sslsock.bind(isa);
    }

    sslsock.connect(remoteAddress, connTimeout);
    sslsock.setSoTimeout(soTimeout);
    return sslsock;

}

/**
 * @see org.apache.http.conn.scheme.SocketFactory#createSocket()
 */
public Socket createSocket() throws IOException {
    return getSSLContext().getSocketFactory().createSocket();
}

/**
 * @see org.apache.http.conn.scheme.SocketFactory#isSecure(java.net.Socket)
 */
public boolean isSecure(Socket socket) throws IllegalArgumentException {
    return true;
}

/**
 * @see org.apache.http.conn.scheme.LayeredSocketFactory#createSocket(java.net.Socket, java.lang.String, int,
 *      boolean)
 */
public Socket createSocket(Socket socket, String host, int port, boolean autoClose) throws IOException,
        UnknownHostException {
    return getSSLContext().getSocketFactory().createSocket(socket, host, port, autoClose);
}

// -------------------------------------------------------------------
// javadoc in org.apache.http.conn.scheme.SocketFactory says :
// Both Object.equals() and Object.hashCode() must be overridden
// for the correct operation of some connection managers
// -------------------------------------------------------------------

public boolean equals(Object obj) {
    return ((obj != null) && obj.getClass().equals(EasySSLSocketFactory.class));
}

public int hashCode() {
    return EasySSLSocketFactory.class.hashCode();
}
}

EasyX509TrustManager:

public class EasyX509TrustManager implements X509TrustManager {

private X509TrustManager standardTrustManager = null;

/**
 * Constructor for EasyX509TrustManager.
 */
public EasyX509TrustManager(KeyStore keystore) throws NoSuchAlgorithmException, KeyStoreException {
    super();
    TrustManagerFactory factory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
    factory.init(keystore);
    TrustManager[] trustmanagers = factory.getTrustManagers();
    if (trustmanagers.length == 0) {
        throw new NoSuchAlgorithmException("no trust manager found");
    }
    this.standardTrustManager = (X509TrustManager) trustmanagers[0];
}

/**
 * @see javax.net.ssl.X509TrustManager#checkClientTrusted(X509Certificate[],String authType)
 */
public void checkClientTrusted(X509Certificate[] certificates, String authType) throws CertificateException {
    standardTrustManager.checkClientTrusted(certificates, authType);
}

/**
 * @see javax.net.ssl.X509TrustManager#checkServerTrusted(X509Certificate[],String authType)
 */
public void checkServerTrusted(X509Certificate[] certificates, String authType) throws CertificateException {
    if ((certificates != null) && (certificates.length == 1)) {
        certificates[0].checkValidity();
    } else {
        standardTrustManager.checkServerTrusted(certificates, authType);
    }
}

/**
 * @see javax.net.ssl.X509TrustManager#getAcceptedIssuers()
 */
public X509Certificate[] getAcceptedIssuers() {
    return this.standardTrustManager.getAcceptedIssuers();
}
}

我添加了这个方法:getNewHttpClient()

public static HttpClient getNewHttpClient() {
    try {
        KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
        trustStore.load(null, null);

        SSLSocketFactory sf = new MySSLSocketFactory(trustStore);
        sf.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);

        HttpParams params = new BasicHttpParams();
        HttpProtocolParams.setVersion(params, HttpVersion.HTTP_1_1);
        HttpProtocolParams.setContentCharset(params, HTTP.UTF_8);

        SchemeRegistry registry = new SchemeRegistry();
        registry.register(new Scheme("http", PlainSocketFactory.getSocketFactory(), 80));
        registry.register(new Scheme("https", sf, 443));

        ClientConnectionManager ccm = new ThreadSafeClientConnManager(params, registry);

        return new DefaultHttpClient(ccm, params);
    } catch (Exception e) {
        return new DefaultHttpClient();
    }
}

最后,对于我代码中的每个位置,我都有:

DefaultHttpClient client = new DefaultHttpClient();

我用以下内容替换它:
HttpClient client = getNewHttpClient();

我现在能够接收来自服务器端的数据,最后一个问题是:我所做的是否安全?或者它会接受每个自签名证书?如果是这种情况,应该怎么做才能更改它?
任何帮助都将不胜感激。
也许Javadoc能帮到你:SchemeRegistry SSLSocketFactory - mleczey
1
根据HTTPClient SSL Guide的指南,你需要做的唯一事情就是将"https://"添加到你的URL字符串中。这将为你提供一个具有与浏览器等级相当的认证水平的HTTPS连接(即数百个CA中的任何一个都可以签署服务器证书)。SchemeRegistrySSLSocketFactory只有在你想自定义SSL处理时才会发挥作用,通常是为了实现SSL pinning(即使用更强的真实性约束)。请查看Moxie的github获取一个好的(LGPL许可的)Android ssl pinner。 - Barend
@Barend,我尝试仅更改链接并将http更改为https,但它没有返回答案。据我所知,我需要获取和存储自签名证书才能连接到服务器端。 - Emil Adz
1
啊,你从未提到终端点正在运行自签名证书。是的,您需要使用SSLSocketFactory(KeyStore trustStore)构造函数创建自定义的SSLSocketFactory实例。您传递的密钥库必须包含您的服务器证书。 - Barend
我对所有这些安全连接的东西都很陌生,所以我不知道它会有什么影响。您能否详细说明一下这个主题或提供一些代码片段?那将非常有帮助。 - Emil Adz
由于许多方法今天已经弃用,如何在API 22中解决这个问题? - KuKeC
2个回答
5

首先,您需要创建SchemeRegistry对象,并使用SSLSocketFactory注册新的Scheme:

SchemeRegistry schemeRegistry = new SchemeRegistry();
schemeRegistry.register(new Scheme("https", SSLSocketFactory.getSocketFactory(), 443));

然后,您可以使用SchemeRegistry对象创建SingleClientConnManager:
SingleClientConnManager mgr = new SingleClientConnManager(schemeRegistry);

最后,您可以使用SingleClientConnManager创建DefaultHttpClient:

HttpClient client = new DefaultHttpClient(mgr);
您介意对这些对象进行更详细的说明吗?在访问https Web服务之前,我应该执行所描述的步骤吗?据我所知,我应该从服务器接收证书并将其存储在设备上,是吗? - Emil Adz
@EmilAdz 是的,在每次 https 访问之前,您都应该执行这些步骤。SchemeRegistry 只是所有 Scheme 对象的容器,它描述了 HTTPS 连接参数,因此您可以为所有调用使用一个 SchemeRegisty 对象实例。但是,您需要为每个调用使用新的 SingleClientConnManager,因为它一次只能维护一个连接。我认为存储 SSL 证书是由 Android 自身提供的,所以您不需要担心它。 - nemezis
5
Apache HttpClient SSL指南

通过SSL进行安全的HTTP通信应该与普通的HTTP通信一样简单。

因此,您只需将http:// XXXX更改为https:// XXXX
编辑:我刚看到@Barend的答案,它更完整
我尝试仅更改链接并添加https而不是http,但它没有返回答案。据我所知,我需要获取自签名证书才能连接到服务器端。 - Emil Adz
如果服务器有自签名证书,您需要告诉您的 HttpClient 接受它。如果您想要这样做,您可以在这里查看 https://dev59.com/snM_5IYBdhLWcg3wzmrL - user2340612
网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接